CVE-2025-4779

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions prior to 1.9.24

Description: The issue allows an unauthenticated attacker to inject malicious JavaScript into the "v1/runs/ingest" endpoint by adding an empty citations field. This triggers a code path where dangerouslySetInnerHTML is used to render attacker-controlled text, potentially leading to the execution of arbitrary JavaScript in the context of the user's browser. This could result in session hijacking, data theft, or other malicious actions.

Recommendations: For versions prior to 1.9.24, update to version 1.9.24 or later to resolve the issue. As a temporary workaround, consider restricting access to the "v1/runs/ingest" endpoint to minimize the risk of exploitation. Additionally, avoid using the citations field in the affected endpoint until the issue is resolved.